Podcast: Latest NYDFS, CFPB Actions, and What the Venezuela Sanctions Mean for Banks

In our latest podcast, Steven Stachowicz and Christine Bucy from Protiviti’s Risk and Compliance practice discuss the latest round of regulatory compliance news featured in the September issue of Compliance Insights. For more compliance news, click here to read the complete newsletter.

Kevin Donahue: Hello, this is Kevin Donahue, Senior Director with Protiviti, welcoming you to a new installment of Powerful Insights. I’m joined today by Steven Stachowicz and Christine Bucy. Steve is a Managing Director with Protiviti’s Risk and Compliance practice and Christine is an Associate Director with the risk and compliance group. We’re talking to both of them today about some of the key issues discussed in the September issue of Compliance Insights, Protiviti’s monthly newsletter that looks at the latest in compliance for financial institutions and other organizations. Steve, thanks for joining me today.

Steven Stachowicz: Thank you, Kevin.

Kevin Donahue: Christine, as always, it’s great to speak with you as well.

Christine Bucy: Thanks for having me.

Kevin Donahue: Christine, let me toss the first question to you. The New York Department of Financial Services has issued significant monetary penalties against the U.S. branch of a foreign bank, with the branch eventually settling and closing altogether. The Bank Secrecy Act and OFAC violations sound pretty severe – lack of oversight over AML activities, inadequate customer due diligence and more. Christine, what suggestions do you have to offer to other banks, both foreign and domestic, to avoid such scrutiny?

Christine Bucy: Sure. Thanks, Kevin. I think as alluded to in this month’s article, one of the things that we suggest primarily is making sure that the local branch of a foreign bank has proper and adequate buy-in from their head office. So what we’ve been communicating to our clients is that they have adequate head office support, and what we mean by that is making sure that the local branch and head office are communicating and coordinating and really coming as a united front when the regulators come into their local branch and start reviewing their programs. I think – and again this is just specific to foreign financial institutions – but making sure that head office not only understands the local laws and regulations of the U.S. branch, for instance, but making sure they understand the severity of the issues going on as well. I think one would be, of course, the head office support, and that could be done through a variety of ways. We recommend to a lot of our clients that they establish a proper forum between the local branch and head office, whether it’s to set any meeting or a monthly meeting or a quarterly meeting, but something to demonstrate that there is this ongoing communication, and not only having this ongoing communication but having a charter with roles and responsibilities and expectations between both the local branch management and the head office branch management.

Secondly, I think, as local branches are undergoing these exams and even post-exams, it’s very important for these local branches to communicate the issues that are rising out of these exams, and especially the severity of the issues, meaning whether these issues are repeat issues and what areas of the program they’re impacting. And not only communicating these issues to their head office but making sure that your audit teams are aware of these issues, your quality assurance teams are aware of these issues, any other compliance testing teams that you have are aware that these issues have occurred and whether or not they’re duplicative.

A third suggestion that we would have for our clients is helping ensure that local banks and branches have proper issue management functions in place. I think the key here is helping to ensure that there are remedial action plans around some of these issues and making sure that duplicative issues are treated with a level of severity and escalated appropriately.

Kevin Donahue: Thanks, Christine. Before I ask Steve some of the questions I have, let me ask you one more about another article in the newsletter, new OFAC sanctions restricting Venezuela’s access to U.S. markets. In light of these sanctions, how should banks make sure they stay vigilant and up-to-date of sanctions programs in this dynamic global environment we have right now?

Christine Bucy: Well, I think that’s a great question and it’s one that’s becoming more and more relevant. I think a lot of the resources that banks and financial institutions have within their organizations need to stay vigilant to ensure that they are aware of the news and the constantly changing environment that’s taking place and understand how it impacts their organization. What we’ve seen a lot of our clients do is develop new training programs specifically around sanctions and embargos. They’ve also developed dedicated functions and roles and responsibilities around emerging regulatory risk just so banks can understand how the environment is impacting their organization.

Kevin Donahue: Thanks, Christine. Steve, let’s toss it over to you. I see that we have more news that’s come from the Consumer Financial Protection Bureau. Credit reporting is important to consumers because it affects their ability to get loans, insurance, or even a job. Steve, how does credit reporting intersect with deposits and savings accounts, and why is the Bureau’s most recent consent order relevant to financial institutions?

Steven Stachowicz: Sure. Thanks, Kevin. It’s a good question. When we learned compliance, Compliance 101, we learned of credit reporting in exactly the context in which you frame it. Your traditional credit reports that you use to get that credit score and qualify for a loan, qualify for insurance policy or even get a job. But there are broader uses for that information and there is additional information that comes from other sources that is used to qualify individuals for something as basic as cashing a check at their local grocery store, and that’s something that doesn’t get the same amount of attention. So in Compliance 101, you learn that consumer report is a communication of information by a credit reporting agency that bears on credit worthiness, credit standing, credit capacity, character, reputation, personal characteristics or mode of living. It’s a general definition that we all learned early on and you think about it quite literally in the context of credit and credit reporting, but the term is actually “consumer reporting” and goes beyond just credit.

So welcome to the world of technology and some of the evolving consumer financial products and services that are out there. But there are specialty consumer reporting agencies that are not necessarily household names to most of us that collect information from multiple sources, including banks, and use that information for a variety of purposes including, like I said, cashing a check at your grocery store or validating identity. The consent order the Bureau issued highlights something that we really don’t think about a whole lot from a compliance practitioner space, and that’s the fact that consumer reporting takes the form of other than just loan information. What happens in this particular consent order is that the bank that was furnishing information to one of these specialty consumer reporting agencies, furnishing information about deposits and savings accounts, didn’t necessarily have all of the appropriate processes and controls to manage the accuracy and integrity of that data and respond to consumer disputes the way that’s required under the Fair Credit Reporting Act and that we typically see as well-established programs in the credit or lending spaces. So it’s interesting, the consent order is demonstrative of the broader definition of consumer reporting but also provides a little bit of insight into the scope of what the Bureau is looking at. They’re looking at the broader definition of consumer reporting and its various impacts on customers and they’re not just limiting that to the traditional credit reporting that you and I think about.

Kevin Donahue: Thanks, Steve. My last question is also for you and is also tied to some more guidance from the Bureau regarding pay-by-phone fees. How big of an effort is necessary from the institutions to review and amend procedures and processes to bring them in alignment with what the Bureau expects, compared to the risk of getting fined for not doing this?

Steven Stachowicz: You would hope that’s actually not a very big lift for organizations. That there is not going to be some need to go through and drastically revise processes and procedures and scripts and whatnot today because, presumably, these fees, to the extent that they exist in the bank or financial institution’s environment, are already consumer-friendly, if you will. The concern that the CFPB addresses in the guidance, and not necessarily in terms of a regulatory requirement, is that they have found through their examination process, through consumer complaints, that certain fees that customers incur, that are charged to customers who are trying to make a payment by phone, are not incredibly transparent, that there are options or alternatives that customers could take advantage of and maybe not incur the fee or incur lesser fee and those aren’t always readily explained to consumers, and so there’s concerns about misrepresentation and customer harm.

In terms of the lift for a financial institution, I would say that hopefully it’s not much of one, but fees and charges, in general, are probably one of the higher risk areas for a bank or a non-financial institution to manage from a UDAP perspective. So we’re talking about Unfair, Deceptive or Abusive Acts and Practices, and the management of UDAP risk.

Fees and charges are always an area where there’s a risk of customer harm, misrepresentation and the like and so, I think as part of that program, there should be an evaluation of these types of fees along with a lot of other fees and charges that banks already impose on their customers to make sure that they’re being fully disclosed, that if there are options or alternatives that those things that are being discussed and that those fees are reasonable and the options are reasonable and customers can take advantage and make an informed choice, and then look at scripting and call monitoring and making sure that these things are being explained appropriately to customers. And to the extent that you’re doing that and it’s already part of your program, it’s not really that big of a lift. If it’s not, if you have a UDAP risk management program that’s really just a program on paper but not looking at some of these things in substance, this guidance of the Bureau issued today is just another good example of something that that particular program should be picking up on and monitoring for.

Kevin Donahue: Steve and Christine, thanks very much for joining me again to discuss the September issue of our Compliance Insights newsletter. I want to remind our audience that they can visit protiviti.com/compliance-insights where they can find and read the complete copy of this newsletter as well as prior issues.